Anticipating Abuse At the same time, however, the notion of lowering barriers between code and content is rightly greeted with suspicion, or even horror, by enterprise developers whove learned the hard way about intrinsic insecurity due to granting too much trust to third-party executable content.Learning to write applications that anticipate abuse and that guard against unintended behaviors is orders of magnitude more difficult than merely writing applications that correctly handle input that isnt even trying to make trouble (and the latter task still exceeds the grasp of all too many coders). Microsofts .Net offers new coding constructs for not only stating what resources an application requires but also refusing to accept anything more. Meanwhile, encryption technology vendor RSA Security Inc., of Bedford, Mass., projects its revenues as "very much dependent on the expansion of Web services," said CEO Art Coviello in a conversation with eWEEK this spring, citing the crucial role of authentication in ensuring that a putative service provider is who it claims to be. Enterprise IT builders will want to explore tools and services for testing of their new applications, calling on providers such as KeyLabs, a unit of Lab Acquisition Corp. KeyLabs announced last month a Web services initiative combining quality, performance and security assessment with conformance and certification testing. But even before Web services technology takes on the challenge of cross-enterprise interaction, Microsoft is packaging the loosely coupled services model for smaller tasks with low-priced small- and medium-scale versions of its BizTalk Server product. This may prove attractive to organizations that arent yet ready to expose their internal systems to external interactions but want to take advantage of services-based APIs to combine off-the-shelf software modules without the cost and time delays of previous application integration technologies. "In the education arena, if we go with a single product, obviously theyre not going to have everything that we want," said Judy Brown, emerging technology analyst for the University of Wisconsin System, in Madison, and an eWEEK Corporate Partner. "We would love to be able to pull in some other question generator, an assessment generator, a collaborative discussion tool or conferencing communication tool, or some kind of a grade book. These could be plugged and played through Web services and called out through the right architecture." This opportunity in controllable environments, replicated across many other application domains, will give Web services takeoff potential long before their security and reliability issues on the public network are fully addressed. To maximize near- and long-term potentials, development teams should remain focused on the common subset of the core technologies that all Web services frameworks employ, using those frameworks distinctive extensions only by choicenever merely because they are there. (
Click here for tips on questions to ask when choosing a Web services platform.)
Technology Editor Peter Coffee can be reached at firstname.lastname@example.org.
In a services environment, security becomes indispensable at not just the perimeter but also on every level of an application. Indeed, the perimeter becomes hard to define, since any function may now entail a call to a third-party service on a remote computing resource.